Graham Henley from Getdata.com
Listen Now Download as mp3 from the show Gauging Age, Virtual Life, Reading Emotions and Cyber-Forensics
Ben - Many of us rely on using computers to store an awful lot of vitally important information and there's nothing like the heart-sinking feeling when you've deleted the wrong file or even worse you turn on the computer to be greeted by an error message saying, 'no bootable partition,' meaning your hard drive is completely dead.
There may be a way you can get back that data, even the things that you thought you'd deleted on purpose. On the line with me now is Graham Henley from Getdata.com. So Graham, firstly how is data actually stored on a hard disk?
Graham - A hard drive is a magnetic medium so as we all know it's stored as 1s and 0s on the drive. When a file gets stored on a computer essentially there's a table at the start of the hard disk. The table tells the operating system, Windows, whereabouts that file is stored on the disk. When you press the delete button or in fact format your drive what you're doing is going to that table at the start of the disk and telling the computer that that particular reference, that file in that table is no longer there. It doesn't go out to the disk itself, find the data and overwrite it.
Ben - Although Windows no longer knows where to look if you were to actually look through the hard disk itself you'd be able to find all the files you thought you'd formatted away?
Graham - Yeah that's right. It's essentially like going to the index of a book and then taking a pen and then scrubbing out the index entries. The page with the content is still out there in the middle of the book. It's just that the book no longer knows how to find it. You can imagine that all that data is still out there on the disk and can be recovered.
Ben - So what about when it seems that your hard drive has died? Even if the actual contents effectively are still there and you've still got the index file at the beginning of it, if you can't get your hard drive to work the surely you can't get to that data?
Graham - There's two types of data recovery. If you have a physical problem with your hard drive, and hard drives do physically fail, they wear out, bits get old and worn down then your only hope to get data back is to send it to a hardware recovery service. Probably 60 or 70% of the time the problems with having lost data or deleted files is usually what we call a logical problem. That means that the drive is physically functioning okay, it's just that the logic of how the files are found or where the files are on the disk is a bit screwed up.
Ben - So how do you go about getting back the data that we think we've deleted?
Graham - Well, our program Recover My Files goes out to the drive and does three levels of search. The first type of search it can do is look for a partition. Now partition is a fancy word for what we describe as the C: drive, D: drive or the E: drive. What it's trying to find is that big index full of files. It finds that index, it interprets it and displays all the files. The next step down from that is every single file in that computer at the start of the table has an entry. That entry tells the computer the name of the file and the storage sectors on the disk where that file resides. In many cases all that information has been destroyed. You might have somehow overwritten that first part of your disk and corrupted all of that information. The very lowest level of search that Recover My Files does is it goes across the drive. It tries to fin individual files on the drive by their header and their footer. Every Microsoft Word document starts in a particular way. At the start of the file there's certain characters that can easily be identified. We identify the start of the file, we look for the structure of the file and then we identify the footer of the file. We can still bring that out and display it as a file. You can still see pictures, documents and other sorts of files.
Ben - Doesn't this mean that if you sell off your old computer or your old hard drive then people can use this software, such as identity thieves could you use it and actually get back your files, which may contain your bank details or your passport information, that sort of thing?
Graham - If you're ever in the situation where you want to give away a hard drive it's very important that you wipe a hard drive clean. When you delete a file it's recoverable and it'll stay on your drive. It will only stay on there up until such time as it's overwritten by something else. You need to deliberately go out and wipe that hard drive clean. The wiping programs that are available, they go out and they start at the beginning of the drive and write 0s all the way across the drive, right to the very end. That's what's meant by wiping a drive. If you just format your drives when you're giving them away that doesn't do it. All your data is still in the drive. It's a real security risk.
Ben - I understand that you used to work with the police doing their data recovery from seized computers. Did you just use the same techniques there or do you have to go a bit more forensic when looking for evidence of a crime?
Graham - Myself and one of my colleagues were in the Australian Federal Police in Australia. We worked in the Computer Crime section and we were obviously very involved in high profile and complex investigations involving computer evidence. Really, the way our company got started is that we were having to write our own applications in order to go out and interpret data on the hard drive and to recover deleted files.
Ben - Are criminals savvy enough with computers to make sure they do actually wipe their data?
Graham - I've examined drives and found they've employed a wiping tool. In one particular case we could see that the person had overwritten the data before we'd arrived and I could see in the storage sectors the words, 'sucked in,' all the way across the drive. They'd deliberately gone out and wiped it clean and left a message there for us.
Ben - So criminals are obviously paying attention, they know how to wipe their drives. What about government institutions and so on? Could you goout, buy a load of second-hand hard drives and get some really juicy data out of that?
Graham - It's an interesting exercise to go to a second-hand computer market, pick up some hard drives and run Recover My Files. It's just incredible what you can bring back. It's not just the files that are on there. If you imagine when you're surfing the web all your web pages are being brought down and stored on your computer. If you do web banking, for example, you can see balances and transactions etcetera in those web pages.
Ben - I guess the moral of this is don't panic if you did delete something you didn't intend to but do make sure you wipe your hard drive completely clean before selling it on.
Graham - Absolutely, the information that can be contained on a hard drive about someone's life is incredible so if you're ever selling your harddrive on then you definitely should wipe it.